Skip to main content

Using Hardware Wallets in the Openos CLI

Signing a transaction requires a private key, but storing a private key on your personal computer or phone leaves it subject to theft. Adding a password to your key adds security, but many people prefer to take it a step further and move their private keys to a separate physical device called a hardware wallet. A hardware wallet is a small handheld device that stores private keys and provides some interface for signing transactions.

The Openos CLI has first class support for hardware wallets. Anywhere you use a keypair filepath (denoted as <KEYPAIR> in usage docs), you can pass a keypair URL that uniquely identifies a keypair in a hardware wallet.

Supported Hardware Wallets

The Openos CLI supports the following hardware wallets:

Specify a Keypair URL

Openos defines a keypair URL format to uniquely locate any Openos keypair on a hardware wallet connected to your computer.

The keypair URL has the following form, where square brackets denote optional fields:

usb://<MANUFACTURER>[/<WALLET_ID>][?key=<DERIVATION_PATH>]

WALLET_ID is a globally unique key used to disambiguate multiple devices.

DERVIATION_PATH is used to navigate to Openos keys within your hardware wallet. The path has the form <ACCOUNT>[/<CHANGE>], where each ACCOUNT and CHANGE are nonnegative integers.

For example, a fully qualified URL for a Ledger device might be:

usb://ledger/BsNsvfXqQTtJnagwFWdBS7FBXgnsK8VZ5CmuznN85swK?key=0/0

All derivation paths implicitly include the prefix 44'/501', which indicates the path follows the BIP44 specifications and that any derived keys are Openos keys (Coin type 501). The single quote indicates a "hardened" derivation. Because Openos uses Ed25519 keypairs, all derivations are hardened and therefore adding the quote is optional and unnecessary.